Splunk Enterprise Security

Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Community Activity
aminfosec

How to exclude IPs from results while using Tstats and a sourcetype that is not the same?

Current search is essentially this: | tstats values(All_Traffic.src) as src from datamodel=Network_Traffic.All_T...
by aminfosec New Member in Splunk Enterprise Security 06-23-2019
0 5
0
5
dzejsonborn

Splunk Enterprise Security: Where to learn SPL, searches, and log sources?

Hi everyone, I need to learn SPL searches quickly. In particular, I need to focus on covering the log source (CWS, ...
by dzejsonborn New Member in Splunk Enterprise Security 06-21-2019
0 1
0
1
barcher83

Splunk Add-on for Microsoft Cloud Services: action="Unknown"

The Splunk Add-on for Microsoft Cloud Services is populating the Authentication datamodel in ES, however action="Unkn...
by barcher83 Explorer in Splunk Enterprise Security 06-21-2019
0 2
0
2
tjago11

Splunk Enterprise Security: How to secure part of the _audit index?

We have Enterprise Security installed for a specific Search Head and would like the _audit logs in a different locati...
by tjago11 Communicator in Splunk Enterprise Security 06-21-2019
0 4
0
4
N92

How to use tstats command with datamodel and like function

How to use tstats command with like function. Ex: | tstats count(eval(Authentication.action, "failure%")) as failure...
by N92 Path Finder in Splunk Enterprise Security 06-20-2019
0 1
0
1
pcyr

How to invoke adhoc queries

After installing and configuring this application I am unable to get the adaptive response to run. I continue to get ...
by pcyr Engager in Splunk Enterprise Security 06-19-2019
0 1
0
1
Rajesann

Splunk ESM - The contributing events drill-down search is not the same as my correlation rules "Notable action" drill-down search

I've changed an existing correlation search and it's drill-down in the adaptive response actions, but when the notabl...
by Rajesann New Member in Splunk Enterprise Security 06-18-2019
0 0
0
0
splinks

Splunk Enterprise Security: Is it possible to prepopulate adaptive response action form with data from notable event?

Hi, Is it possible to prepopulate an adaptive response action's form from the notable event? Let's say my notable e...
by splinks Explorer in Splunk Enterprise Security 06-18-2019
1 3
1
3
vinayakwagh

Disaster Recovery for ES SH cluster Enviornment

what is the solution for DR where ES app is in Sh cluster?
by vinayakwagh Explorer in Splunk Enterprise Security 06-18-2019
0 1
0
1
gigibit92

Is there anyway in Android SDK to avoid storing logs in clear on the device before sending to server?

I found the log in plain text on my device during the test, can I add a custom write and custom read feature with an ...
by gigibit92 New Member in Splunk Enterprise Security 06-18-2019
0 0
0
0
sahiltcs

How to detect Splunk searches ran by users without justification?

We are looking for query to detect Splunk queries without business justification and also random validation of busine...
by sahiltcs Path Finder in Splunk Enterprise Security 06-15-2019
0 5
0
5
Azerty728

Upgrade 5.2.2 to 5.3 - is the documentation wrong or is it me ?

Hello, I'm using Splunk 7.2.6 and ES 5.2.2 (on a SHC) and I want to upgrade ES to 5.3 on this SHC environment. Acco...
by Azerty728 Path Finder in Splunk Enterprise Security 06-14-2019
0 5
0
5
kirankos

Splunk Enterprise Security: Error SA-Utils/bin/data_migrator.py

hi After installing Enterprise Security, 4.7.6, we are constantly getting error in the console msg="A script exite...
by kirankos Engager in Splunk Enterprise Security 06-13-2019
0 1
0
1
jbrocks

Splunk Enterprise Security send notable event as email - missing server in ES?

Hello everybody, we have a problem sending notable events from Splunk ES as an email. Email notification works fine ...
by jbrocks Communicator in Splunk Enterprise Security 06-12-2019
0 0
0
0
rupalekar

Connection Between Phantom and Splunk

Hi Has anyone run into issues connecting "to" Splunk "From" Phantom App? I have tried 443 and 8089 I keep getting ...
by rupalekar Explorer in Splunk Enterprise Security 06-11-2019
1 2
1
2
rishrai

Splunk Upgrade best methodology or approach for Enterprise and ES

I am looking to upgrade the following and the approach below. My question is this upgrade optimal and will sustain? ...
by rishrai New Member in Splunk Enterprise Security 06-11-2019
0 4
0
4
akostiner123194

Tstats with inputlookup to check for a malicious IP with the authentication datamodel

Here is my SPL, what am I doing wrong? |tstats count from datamodel=Authentication where ([|inputlookup threatconnec...
by akostiner123194 New Member in Splunk Enterprise Security 06-11-2019
0 1
0
1
nb1030

Is it possible to tag logs associated with the event_id when a notable event triggers?

I looked around, but could not find anyone asking this question specifically. Basically, when a notable event trigger...
by nb1030 New Member in Splunk Enterprise Security 06-11-2019
0 2
0
2
spectrum2035

Can multiple search head clusters connected to the same index use port 8080?

Hello, Currently we have Single Search Head Cluster with Enterprise Security and single Indexer Cluster. As part of ...
by spectrum2035 Explorer in Splunk Enterprise Security 06-11-2019
0 3
0
3
mkhedr

Using Enterprise security

am about to register for Using Enterprise Security but i would like to make sure if am going to receive an official m...
by mkhedr Explorer in Splunk Enterprise Security 06-11-2019
0 1
0
1
dgillette3

Problem with Enterprise Security Correlation Search

This Enterprise Security correlation search "Anomalous Audit Trail Activity Detected" is generating a whole bunch of ...
by dgillette3 Explorer in Splunk Enterprise Security 06-10-2019
0 0
0
0
spectrum2035

Splunk CIM upgrade

Currently we are having Splunk CIM 4.11.0 and we would like to upgrade it to Splunk 4.13.0 (to add new Endpoint data ...
by spectrum2035 Explorer in Splunk Enterprise Security 06-10-2019
0 2
0
2
rupalekar

Playbook Having Issues executing

Hi For some reason none of my playbooks finish executing. They simply stay in a loop Even if it is a simple test li...
by rupalekar Explorer in Splunk Enterprise Security 06-10-2019
0 1
0
1
andreibanaru

CIM on two separate search heads

We have two search heads: - First is used with Enterprise Security with CIM installed and acceleration enabled on som...
by andreibanaru Explorer in Splunk Enterprise Security 06-09-2019
0 1
0
1
mbarbaro

Splunk Enterprise Security: How to view events associated to "Change - Abnormally High Number of Endpoint Changes by User - Rule" source?

Hello, i would like to see the Events associated to this source "Change - Abnormally High Number of Endpoint Changes...
by mbarbaro Path Finder in Splunk Enterprise Security 06-08-2019
0 1
0
1
Get Updates on the Splunk Community!

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...